On Thursday 21st of October 2021, researchers at Gemini Advisory released a blog detailing evidence that FIN7 (aka ‘Carbanak’) hacking group has set up a fake cybersecurity company known as Bastion Security which was being used to hire pentesters and system administrators to conduct pre-encryption stages of ransomware attacks.
Researchers discovered Bastion Security website was made up of stolen and re-compiled content from other websites like Convergent Network Solutions Ltd. And it also discovered that the company claimed they are based out of England, but the site serves Russian-language 404 error pages.
Through the Bastion Security website, FIN7 was looking to hire C++, PHP, and Python programmers, Windows system administrators, and reverse engineering specialists for a salary of between $800 and $1,200 per month. FIN7 was looking for individuals who had the ability to map compromised corporate systems, perform network reconnaissance, and locate backup servers and files.
One of the sources for Gemini Advisory had applied to one of the jobs to investigate the fake company more and to find more evidence that FIN7 was behind it. What they discovered was the internal tools being used by the company were the well-known post-exploitation tools Carbanak and Lizar/Tirion which was disguised as “Command Manager.” Then the source was tasked with collecting information relevant to admin accounts, backups on a company’s network which they were told was a client that had ordered pentesting services.